Irked by U.S., but EU keeps own spy projects quiet

By Francesco Guarascio and Alastair Macdonald

8 Min Read

An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013.Kacper Pempel

BRUSSELS (Reuters) - Revelations of U.S. spying in Europe have soured transatlantic relations, prompting a White House apology and, as leak followed leak over the past two years, have fostered feelings of moral superiority among Europeans.

Yet EU governments are stepping up surveillance of their own citizens: last month France, smarting from Islamist attacks in January, passed intrusive laws on the very day it learned U.S. agents tapped French presidents' phones; this week, the European Parliament gave ground in a fight to block powers to track and share air passenger records among member states.

Less well known still is that the 28-nation European Union itself, as a collective institution, is spending hundreds of millions of euros developing security technologies that civil liberties watchdogs say jeopardize rights to privacy.

"Funding these programs is not per se problematic," said Nils Muiznieks, a Latvian who is human rights commissioner for the 47-state Council of Europe, a rights body that is not part of the EU. "It is how the new technologies will be used that poses a series of human rights concerns."

With concerns growing over Islamist violence even before the attacks in Paris in January, EU spending on security research, at 1.7 billion euros ($1.9 billion) in the bloc's 7-year budget from 2014, is 20 percent up on the previous period.

EU officials estimate that represents a hefty 40 percent of all such spending by the bloc's 28 member states, many of which lack capacity to develop such technology themselves. Among top priorities are finding ways to focus mass surveillance of the Internet, email, mobile phones and social networks on suspects.

"Member states do conduct their own research," said an EU official familiar with such projects who spoke privately as he was not authorized to speak. "But a lot of them like to go through us - it helps keep some of this stuff at arm's length."

Most of the research the EU funds, much of it by private firms including from non-European states such as the United States and Israel, is listed in public tender documents, though these are time-consuming to consult. But about a tenth of the spending is set aside for work classified as top secret.

LEGAL PROTECTIONS

Asked whether such research might lead to infringing civil liberties, a spokeswoman for the European Commission, Natasha Bertaud, said: "Fighting terrorism and keeping citizens safe is all about staying ahead of the game ... The EU brings together the industry and practitioners, and provides funding for developing cutting-edge technologies, in order to help member states better protect people and infrastructure."

Calling EU privacy standards among the highest in the world, she noted efforts to ensure companies based elsewhere also abided by data protection rules in the EU: "There can be no security without freedom and no freedom without security," she said.

A number of firms which have taken part in EU projects, including planemaker Airbus and Italy's Wind telecom [WINVFT.UL] declined comment. So too did Verint Systems Inc., a U.S. company with operations in Israel. Coordinator of four security projects, Verint received some four million euros in EU funding from 2007-13, according to Commission data.

Despite EU insistence that systems are designed to be kept under strict judicial control, some experts note that, once developed with EU cash, the software and devices owned by private firms could be used by any future buyer with fewer scruples.

The Council of Europe's Muiznieks said surveillance tools which have so far been subject to rigorous checks, may become easier to use as EU states toughen counter-terrorism measures.

Security technologies developed by EU projects have privacy protection tools embedded into them, said Francesca Gaudino at U.S. law firm Baker and McKenzie in Milan. These aim to make it impossible to use them without having whatever local legal authorization is required, for example to tap telephones.

Gaudino's firm was partner in a three-year EU-sponsored project known as CAPER - Collaborative information Acquisition, Processing, Exploitation and Reporting. Concluded nine months ago, it created a platform for police and security agencies to share data gathered in pursuit of organized crime gangs.

Gaudino said that while technologies developed under EU auspices were in themselves "neutral" - inherently neither good or bad for civil liberties - there was no guarantee how they might be used once they were no longer inside EU programs.

TECHNOLOGY IN DEMAND

Concern over the involvement of non-European companies in EU research projects was misplaced, however, the EU official said: "Of course, the Israeli firms get attention. They are getting a lot of EU money. But the reality is these guys are miles ahead of us in technology. And they are sharing it with us."

Officials say that among priorities for investment are mass surveillance technologies that let agencies sweep large amounts of audio, video and written data to zoom in on suspects.

These include deep packet inspection equipment to intercept online conversations, digital forensics to remotely access private computers, IMSI catchers - a mobile device for listening in to phone calls - social network analysis and data mining to profile people according to patterns they leave online.

Technologies to decrypt secured messages and to identify anonymised communications are also being developed.

Such projects trouble the chair of the European Parliament's civil liberties committee. Claude Moraes, a British Labour EU lawmaker, sees a "conflict of interest" between the development of these technologies and EU's frequent outcries at mass surveillance programs run by its international partners.

The revelations two years ago by fugitive U.S. National Security Agency contractor Edward Snowden on U.S. mass surveillance of private emails and phone data across the world still fuel suspicion in Europe and poison EU-U.S. relations.

The experience reinforced opposition among EU lawmakers, already strongly influenced by historic German mistrust of state surveillance, to proposals to share airline passengers records among European police forces. After two years of argument, it finally passed the committee stage in parliament on Wednesday.

That has delayed implementation of a system on which the EU has already spent several million euros in technology costs.

EU-funded security projects are no strangers to criticism.

One, known as INDECT, which ran for five years until 2014, developed ways to identify potential criminals using software to collate and analyze disparate information collected for example from CCTV, drones, GPS location services on phones.

Critics called it a real-life "Big Brother".

"The shift from identifying offenders to preventing crime implies that the presumption of innocence is no longer the normal case, but that all citizens are becoming suspects," argues David Wright, editor of 'Surveillance in Europe', an overview of the sector published last year.

The Emergency Support System project, run from 2009-13, was said to have improved authorities' response to crises but it used fast analysis based on technologies, such as IMSI catchers, which critics say are invasive of personal privacy.

The EU official familiar with the research projects said balancing security and freedoms was a problem: "Personally, of course, some of this makes me uncomfortable," he said. "But the others are all doing it and Europe needs to catch up."

On protecting civil liberties, he added: "We make an effort. But in the end of course once the firms develop this stuff, it's their proprietary product. They can sell it to who they want."